Lotte Card confirms data breach affecting nearly three million customers

Lotte Card, majority-owned by private equity firm MBK Partners, confirmed on Thursday that a hacking incident exposed the personal information of 2.97 million customers and issued a formal apology.

Lotte Card CEO Cho Jwa-jin and other company executives bow in apology during a press conference held in Jung District, central Seoul on Sept. 18. [YONHAP]

Lotte Card, majority-owned by private equity firm MBK Partners, confirmed on Thursday that a hacking incident exposed the personal information of 2.97 million customers and issued a formal apology. Of the customers whose information was leaked, 280,000 had sensitive credit data leaked, including card numbers, CVC codes and resident registration numbers, raising the risk of fraudulent use.

“I take responsibility for causing great concern and anxiety to our customers and sincerely apologize,” said Lotte Card CEO Cho Jwa-jin at a press conference in central Seoul on Thursday.

The breach was discovered during an investigation by the Financial Supervisory Service and the Korea Financial Intelligence Unit, which found that 200 gigabytes of data had been leaked. That is more than 100 times greater than the 1.7 gigabytes Lotte Card reported to regulators on Sept. 1.

The exposed data contained the personal and credit information of 2.97 million people, roughly 30 percent of Lotte Card’s 9.65 million customers.

The 280,000 customers at risk of card misuse are those who registered their card information with payment services such as Naver Pay and Samsung Pay, or online shopping platforms, between July 22 and Aug. 27. Hackers accessed their card numbers, CVC codes and resident registration numbers.

“Key-in transactions, where card details are entered manually into a payment terminal, carry the potential for fraudulent use,” Cho said. “So far, however, no misuse has been confirmed.”

For the remaining 2.69 million customers, only partially encrypted card information was leaked, meaning the possibility of fraudulent use is considered negligible.

Lotte Card holds a press conference explaining the recent hacking incident and customers' personal information leak at a venue in Jung District, central Seoul on Sept. 18. [YONHAP]

Preventive measures will primarily focus on the 280,000 high-risk customers. Starting Thursday, Lotte Card began sending text messages individually to all 2.97 million affected customers.

Those at risk of fraud will also receive phone calls instructing them to promptly request card reissuance. Customers can check whether their information was compromised via the company’s website or call center (1588-8100).

Lotte Card pledged to fully compensate any damages.

“We will take full responsibility and reimburse 100 percent of any losses stemming from this incident,” Cho said. “If secondary damages linked to the leak occur, we will also provide full compensation once the connection is confirmed.”

The company also announced a compensation plan. Customers whose information was leaked will be offered interest-free installment payments for up to 10 months through the end of the year. For the 280,000 customers required to have their cards reissued, next year’s annual fee will be waived.

Cho also hinted at the possibility of stepping down by the end of the year, pledging a leadership reshuffle.

Still, heavy sanctions from financial regulators appear unavoidable. After convening an emergency meeting, financial authorities said they would “identify every violation related to information protection and IT security and impose strict penalties under the principle of making an example.”

Authorities also signaled regulatory reforms, including the introduction of punitive fines for major security breaches, to prevent similar incidents from recurring.

In a report released the same day, NICE Investors Service projected that Lotte Card could be fined as much as 80 billion won ($57.7 million) over the data breach. The agency said it would assess the level of regulatory sanctions and changes in customer numbers before factoring the incident into the company’s credit rating.

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom. BY YEOM JI-HYEON [lim.jeongwon@joongang.co.kr]